docs/self-hosting/security.mdx
We take the security of Trigger.dev seriously, for both Cloud and self-hosted deployments. This page covers how to report a vulnerability, what to expect, and how to stay informed about security releases.
<Warning> Do not report security vulnerabilities through public GitHub issues, pull requests, or Discord. Use one of the private channels below. </Warning>| Stage | Target |
|---|---|
| Acknowledgement | within 3 business days |
| Validation + CVSS 3.1 severity assessment | within 1 week |
We score issues with CVSS 3.1 and prioritise remediation by severity:
| Severity (CVSS 3.1) | Target time to resolve |
|---|---|
| Critical (9.0–10.0) | 7 days |
| High (7.0–8.9) | 30 days |
| Medium (4.0–6.9) | 90 days |
| Low (0.1–3.9) | As needed |
We patch the latest released version line only. Run the latest version-tagged release to receive security fixes — see Self-hosting overview.